View Issue Details

IDProjectCategoryView StatusLast Update
0006550OXID eShop (all versions)1. ----- eShop frontend -----public2016-12-08 15:33
Reporter[email protected] 
PrioritynormalSeverityminorReproducibilitysometimes
Status acknowledgedResolutionopen 
Product Version4.10.2 / 5.3.2 
Target VersionFixed in Version 
Summary0006550: Captcha generates sometimes wrong image while e_mac contains special characters
DescriptionOn some installations the captcha image is generated with 4 chars instead of 5. Thus resulting in wrong form validation.

I tracked down that the generated e_mac GET parameter which is generated by oxRegistry::getUtils()->strMan() may contain special chars. For example the generated image url could look like this: https://my-shop.com/core/utils/verificationimg.php?e_mac=ox_MB44HRFZNh4+

The plus sign at the end of this string will interpreted as " " (space sign) while its received by the verificationimg.php. This results in a wrong code generation.

An easy fix seems to urlencode the e_mac part. See attached patch file.
TagsNo tags attached.
ThemeNot defined
BrowserNot defined
PHP VersionNot defined
MySQL VersionNot defined

Relationships

has duplicate 0006549 closedQA Captcha generates sometimes wrong image while e_mac contains special characters 
has duplicate 0006548 closedQA Captcha generates sometimes wrong image while e_mac contains special characters 

Activities

[email protected]

2016-11-25 11:42

reporter  

captcha_image_fix.patch.zip (442 bytes)

QA

2016-12-01 13:54

administrator   ~0011884

The arguments used in the call oxRegistry::getUtils()->strMan() in the Core/oxCaptcha::getImageUrl() method namely $key and $this->getText() are derived from the value of config.inc parameter "captchaKey"(Created during the Setup process) and the value of \oxCaptcha::$_sMacChars(hardcoded to be alphanumeric without any special characters) respectively. So it can be deducted that special characters are not by default behaviour possible in the shop.
Are there any special circumstances when a plus sign gets included in the string?

[email protected]

2016-12-02 11:55

reporter   ~0011888

strMan will call oxEncryptor->encrypt(). This function does an xor on both strings. The result is base64 encoded. The base64 character set includes '/' and '+'. So both characters are possible in the string and may break the verification img process.